1. Field of the Invention
This invention is related to the field of computer network security and, more particularly, to ensuring the separation of different user communities.
2. Description of the Related Art
With the ever expanding use of computer networks throughout society and the increasing interconnection of computer networks and users has come an increasing importance on maintaining the security of data. It is common for enterprise computer networks to have more than one user community, each with its own set of data. For example, a bank may have a production community which includes persons who are involved in the day to day workings of the bank. In addition, a bank may have a development community which includes persons working to develop and test new banking computer applications. Further, a bank may have a public web site which allows Internet users to obtain information or services related to the bank. Each of these user communities requires access to different sets of data which in some cases may be mutually exclusive.
In an enterprise network, some computing resources may be dedicated to users of a single community, and others may be shared among users of multiple communities. Single Community Nodes (SCNs) are network nodes (e.g., computers, networking equipment, etc.) processing information on behalf of users in a single community. Multi-Community Nodes (MCNs) are network nodes processing information on behalf of individuals in more than one community. Examples of MCNs include servers, routers, and administrative workstations. Executing on MCNs are Multi-Community Applications (MCAs). MCAs are software performing functions on behalf of users in more than one community. MCAs may run within the operating system kernel or communications protocol software, or may be programs running under the control of the operating system in an MCN.
Generally, an enterprise has in place a network security policy which includes a community separation policy stating that the data of a particular community should only be accessible by members of that community. Consequently, each user on the computer network must be prohibited from: (1) accessing the data of a community of which he is not a member, and (2) exposing the data of a community of which he is a member to a user outside that community. When resources such as MCNs are shared by users in more than one community, the potential for a breach of the community separation policy is increased and adequate enforcement of the policy takes on greater importance. Threats to the security of computer network data include threats from xe2x80x9cexternal intrudersxe2x80x9d and threats from xe2x80x9cmalicious insidersxe2x80x9d. An external intruder is a user in one community who attempts to access or modify the data of another community, or disrupt service in another community by interfering with the normal and proper operations of the computer resources used by the other community. On the other hand, a malicious insider is a user in one community who attempts to leak data from his own community to a user in another community, by sending data packets to another community, causing data packets from his community to be misrouted, making data from his community available to external intruders, or otherwise using computer resources to leak or signal information. It should be noted that an insider may inadvertently leak information to another community due to human error or faulty software logic. This may have the same effect as the malicious insider who deliberately causes such leakage.
One well known method of providing for community separation in multi-community enterprise networks includes segmenting the network by community such that all computing resources are dedicated to a community and no resources are shared between communities. The network segmentation methods involve replicating servers, routers, bridges, hubs, switches, and cables, thereby physically segregating user communities. However, such a replication technique is not only costly, it also provides significant operational complexities. For example, one type of server is a network management station. If such a station were replicated and each station""s access were physically restricted to a single community""s computing resources, the network administrator for the enterprise would be able to monitor and control only the network resources for a single community from a single station. However, the role of the network administrator requires monitoring and control of the entire network. Hence, the security approach significantly complicates the management of the network.
Another practiced method of providing community separation is to use firewalls to control the flow of information between communities. A firewall is a method used to control information flow between two or more networks by blocking or permitting flows according to a predetermined set of rules based on the source and destination of the data, the requested service, and other criteria. Firewalls are frequently used by an enterprise to control the access of those on an external network, such as the Internet, to the enterprise""s inner network. Firewalls may also be used to protect some parts of an inner network from other parts of an inner network. However, the rules associated with firewalls can be complex and onerous to set up. It is also difficult to validate that the rule set enforces community separation, and such validation must be done each time the rules are modified.
A third method of providing community separation involves incorporating support in applications on the network for cryptographic protocols and data security methods. However, such an approach is undesirable as it can be very costly in application development and can be operationally burdensome to administer.
To further provide for data security, it is common for the network topology and node connectivity to be controlled. Such controls may include physical separation, logical separation (such as in Virtual Local Area Networks [VLANs]), special privileges or authorizations, or cryptographic methods (such as Virtual Private Networks [VPNs]). Such methods typically provide that each network node is physically or logically connected to a network (including a network segment, subnetwork, VLAN, network zone, network partition, network tunnel, or VPN) only if the node is authorized to access the community data being communicated over the network.
In addition, Multi-Community Applications may be designed so that they may be xe2x80x9ctrustedxe2x80x9d, i.e., do not violate the community separation policy. In particular, when an MCA sends information to a user on another network node, it is trusted not to disclose information belonging to communities of which that user and his computer are not members. Some MCNs are xe2x80x9cclosedxe2x80x9d nodes on which only trusted MCAs are allowed to run and which do not allow unrestricted user access. However, even if the MCAs are trusted, the networking protocols within the MCN could allow community information to be disclosed in violation of the community separation policy, especially if they do not contain mechanisms which explicitly provide for community separation enforcement. Other MCNs are xe2x80x9copenxe2x80x9d nodes which may allow untrusted application software to run on them, or allow general user access. To enforce community separation on open nodes, more extensive mechanisms may be required than for closed nodes.
Broadly speaking, a method and mechanism of community separation control in a multi-community node are contemplated. Generally, the method and mechanism include determining a packet community set (PCS) of a first data packet, discarding the data packet if the PCS is null or alternately if the PCS is not a subset of the intersection of a source network address community set (NACS) and a destination NACS of the data packet, and allowing further processing of the data packet if the PCS is not null. The PCS of the data packet may be determined by one of the following alternatives: calculating an intersection of a source network service community set (NSCS) and a destination NSCS of the data packet; calculating an intersection of a source network address community set (NACS) of the data packet, a destination NACS of the data packet, and an application community set (ACS) of the process which sent the data packet; or decoding the PCS from the header of the data packet. The method and mechanism may include consulting a community information base which maintains community set associations.
In one embodiment, if the data packet is outgoing, the method and mechanism may include discarding the data packet if the PCS is not a subset of an ACS of the process which sent the data packet, and discarding the data packet if the PCS is not a subset of an interface community set (IFCS) of the interface over which the data packet is to be output. Otherwise, further processing may be permitted. If the data packet is incoming, the data packet is discarded if the PCS is not a subset of an IFCS over which the data packet was received. If the data packet is incoming and its destination is the local host, the data packet is discarded if the PCS is not a subset of an ACS of the destination process of the data packet. If the data packet is incoming and its destination is a remote host, the data packet is discarded if the PCS is not a subset of the IFCS of the output interface corresponding to the remote host. Other embodiments may include encoding the PCS in the data packet prior to transmitting the data packet to a remote node.